Press Center

Malware and antivirus software


ESET researchers reveal modus operandi of the elusive InvisiMole group as it targeted military and diplomatic entities

Created: 2020-06-18 12:29:07

A new espionage campaign by the InvisiMole group leads ESET researchers to discover InvisiMole’s hidden toolset and strategic cooperations with the Gamaredon group.

BRATISLAVA – Investigating a new campaign by the InvisiMole group, a threat actor first 
reported by ESET in 2018, ESET researchers uncovered the group’s updated toolset as well as previously unknown details about its mode of operation. The findings arise from a collaborative investigation with the affected organizations. In its new campaign, the InvisiMole group resurfaced with an updated toolset, targeting a few high-profile organizations in the military sector and diplomatic missions, both in Eastern Europe. According to ESET telemetry, the attack attempts were ongoing from late 2019 to at least June 2020, when ESET researchers published their findings.

InvisiMole, active since at least 2013, was first documented by ESET in connection with targeted cyberespionage operations in Ukraine and Russia, using two feature-rich backdoors to spy on victims. “Back then, we found these surprisingly well-equipped backdoors, but a large part of the picture was missing – we didn’t know how they were delivered, spread and installed on the system,” explains Zuzana Hromcová, ESET researcher who analyzed InvisiMole.

Thanks to investigating the attacks in cooperation with the affected organizations, ESET researchers gained an opportunity to take a proper look under the hood of InvisiMole’s operations. “We were able to document the extensive toolset used for delivery, lateral movement and execution of InvisiMole’s backdoors,” says Anton Cherepanov, the ESET malware researcher who led the investigation.

One of the main findings of the investigation concerns InvisiMole group’s cooperation with another threat group, 
Gamaredon. The researchers discovered that InvisiMole’s arsenal is only unleashed after Gamaredon has already infiltrated the network of interest, and possibly gained administrative privileges. “Our research suggests that targets considered particularly significant by the attackers are upgraded from relatively simple Gamaredon malware to the advanced InvisiMole malware. This allows the InvisiMole group to devise creative ways of operating under the radar,” comments Hromcová.

As for staying under the radar, the researchers found that InvisiMole uses four different execution chains, crafted by combining malicious shellcode with legitimate tools and vulnerable executables. To hide the malware from security researchers, InvisiMole components are protected with per-victim encryption, ensuring that the payload can only be decrypted and executed on the affected computer. The updated InvisiMole toolset also features a new component that uses DNS tunneling for stealthier C&C communication.

Analyzing the group’s updated toolset, the researchers observed substantial improvements compared to the previously analyzed versions. “With this new knowledge, we’ll be able to track the group’s malicious activities even more closely,” concludes Hromcová.

For an in-depth technical analysis of the newest InvisiMole toolset, refer to the white paper “
InvisiMole: The hidden part of the story” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

About Version 2 Limited

Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET

For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.


ESET has over 25 years' experience of helping people to Enjoy Safer Technology. Our software is light on hardware, but hard on malware.

Our Technology

ESET’s award-winning NOD32® Antivirus technology is at the cutting edge of digital security. It’s updated daily to keep you secure.

Free Support

Enjoy your free, industry-leading customer support locally. For technical, sales and marketing enquires dial +65 6296 4268.